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© In a distributed data system serving a large 
geographical area and having several network man- 
agement systems, each for managing system com- 
ponents in a portion of the geographical area, the 
system including a number of workstations at which 
administrative commands for configuring or monitor- 
ing the network may be entered, each network man- 
-v agement system and each workstation hosting a 
lumber of software processes, a method is provided 
of storing in the network management systems and 
not in the workstations the information required to 
determine that an operator at a workstation is au- 
thorized to access the network, rendering such in- 


formation less susceptible of tampering. The trusted 
system appends to each request from a workstation 
the operator's user identification, account number, 
and corporate affiliation; process to which such re- 
quests are routed for disposition may perform 
checks regarding the appropriateness of fulfilling the 
request in light of these parameters. Workstations 
not originating any messages for a predetermined 
time are automatically logged off to reduce the pos- 
sibility of unauthorized persons entering requests at 
a logged-on workstation whose operator has left the 
vicinity. 
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BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The invention pertains to networks of distrib- 
uted digital data systems, particularly to enhancing 
the reliability and functionality of network manage- 
ment functions by providing an interprocess mes- 
sage transmission method within such networks. 

2. Description of the Prior Art 

The invention is embodied in an EFTPOS 
(Electronic Funds Transfer / Point of Sale) system 
such as the one described in U.S. Patent 
4,879,716, "Resilient Data Communications Sys- 
tem", issued November 7, 1989 to McNally et al 
^hereinafter, "the McNally patent"). 

A large number of point-of-sale (POS) terminals 
are distributed over a very large geographical area, 
perhaps on the order of an entire continent. A 
communications network is provided which trans- 
ports data over the entire geographical area, and all 
the POS terminals are connected to it, through 
telephone lines and intelligent line concentrators 
(called network access controllers, or "NACs"). 
Also connected to the communications network are 
computers operated by financial institutions. 

The POS terminals are typically placed into 
service by merchants, who then accept transac- 
tions from consumers who carry plastic credit 
cards or debit cards which bear in machine-reada- 
ble form an identification of a financial institution 
which maintains an account for the consumer, and 
an identification of that account. The primary func- 
tion of the system is to forward from the POS 
-terminals to the financial institution computers in- 

lation identifying a consumer's account and a 
transaction the consumer wishes to make in that 
account, and to return from the financial institution 
to the POS terminal either an acceptance or rejec- 
tion of that transaction. 

A merchant wishing to place a POS terminal 
into service typically obtains the necessary equip- 
ment (the terminals and associated modems, etc.) 
from a "service provider" organization. Such an 
organization might have no role in the EFTPOS 
system beyond that of providing equipment, or 
larger merchants and financial institutions might 
function as service providers; in that case the latter 
role is kept separated from the former. 

In addition to line concentrators for POS termi- 
nals and computers of financial institutions being 
connected to the communications network as de- 
scribed above, two other classes of equipment are 
connected to it which exist ancillarily to the sys- 
tem's aforementioned primary function: network 
management systems (NMSs), and management 
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workstations (WSs). (WSs are not specifically dis- 
cussed in the McNally patent, but are at the heart 
of SAFs 12 and are attached to NMSs 14 to 
provide an interface between operators and 
5 NMSs.) 

NMSs are responsible for overall control and 
monitoring of the EFTPOS system; WSs are used 
by the network provider organization and service 
provider organizations to control and monitor par- 
io ticular equipment and communication paths for 
which they are responsible. As described in the 
McNally patent, the NACs can be dynamically re- 
configured and can report their present status; op- 
erators and administrators at the WSs may enter 
75 commands to reconfigure the systems or com- 
mands requesting information on the current status 
of the systems. Commands originating at a WS are 
passed to an NMS for verification that the action or 
information requested is within the purview of the 
20 requesting organization, and are acted upon by the 
NMS following that verification. 

The WSs and NMSs have software running in 
them to effect the entry of such commands and the 
responses to them. Each particular type of com- 
25 mand typically invokes a particular path through 
the software, causing the execution of executable 
paths that are provided to perform particular func- 
tions required for a particular command. A software 
entity dedicated to a discrete function is known in 
30 the software arts as a "process". 

WSs and NMSs are distributed throughout the 
geographical area served by the system. The NMS 
in a particular region of the geographical area gen- 
erally exercises direct control and monitoring of the 
35 POS terminals and NACs in that particular region. 
A request pertaining to such a terminal or NAC and 
originating from a process in a WS or NMS in a 
different region must be forwarded over the com- 
munications network to a process in the NMS hav- 
40 ing cognizance of the target NAC. and a response 
must be forwarded back to the requesting process. 

Under this scheme, WSs can be located any- 
where in the geographical area served by the net- 
work. From the standpoint of system security, no 
45 assumptions should be made about the security of 
the facilities in which they are located; it may not 
be safely assumed that unauthorized personnel are 
precluded from having access to the WSs. 

In accord with practices well known in the prior 
so art, the present embodiment requires an operator 
logging on at a WS to provide a "password", 
presumably not known to unauthorized persons; 
the password provided by the person attempting to 
log on is compared with a prestored expected 
55 password, and the operator is not permitted to 
proceed in the event of noncomparison. 

A drawback of the prior art, particularly affect- 
ing distributed systems, is that once an operator is 
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logged on to the system, nodes other than the 
node that verified his logon cannot perform further 
security checks or verifications. 

Summary of the invention 

The present invention overcomes this 
drawback of the prior art by providing a reliable 
method of identifying the workstation user originat- 
ing a message- The NMS to which a workstation is 
connected associates the user's identification, ac- 
count, and corporate affiliation with the connection. 
This association occurs after the user's credentials 
have been verified at sign-on. Then the user's 
identification, account, and corporate affiliation are 
appended to each and every message received 
from the workstation. Any process receiving a mes- 
sage from the work-station then has reliable in- 
timation with which to implement security policies. 

Objects of the Invention 

It is thus an object of the invention to improve 
security of distributed data systems. 

This and other objects of the invention will be 
apparent to those skilled in the art after reviewing 
the following description of the preferred embodi- 
ment and the appended drawings, wherein: 

Brief Description of the Drawings 

Figure 1 provides an overview of the distrib- 
uted data system in which the present invention is 
embodied. 

Figure 2 provides further detail of that portion 
of the distributed data system embodying the 
present invention. 

Figure 3 is an overview of the method of the 
present invention. 

Description of the Preferred Embodiment 

Figure 1, reproduced here from the McNally 
patent, provides an overview of the system in 
which the present invention is embodied, showing 
NACs 3, terminals 4, communications network 8, 
financial institutions 10. SAFs 12. NMSs 14, and 
communication lines 16. As noted above, work- 
stations (WSs) are at the heart of SAF's 12; also. 
WSs are attached to NMSs 14. 

Figure 2 provides greater detail in those por- 
tions of the system directly involved with the 
present invention. Four NMSs 14 are shown (the 
number four being chosen arbitrarily), denoted 14a 
through 14d. Four workstations (WSs) 22 (denoted 
22a through 22d) are shown. 

Each NMS and WS is depicted as hosting a 
number of processes "P". These are software pro- 


cesses; i.e., as discussed above, software entities 
dedicated to particular functional tasks. 

The units depicted in Figure 2 are shown as 
being interconnected by communication links 20. 

5 These links are conceptual, and might be imple- 
mented through communications network 8, or they 
might be LANs, WANs, leased or switched tele- 
phone lines. Regardless of the nature of the link 
between a WS and an NMS. a WS is normally 

io linked to only one NMS; should the WS originate a 
command that must ultimately be resolved by a 
different NMS.said different NMS will be accessed 
as a result of NMS-to-NMS communication, and 
not by virtue of establishing a link between the WS 

»5 and said different NMS. 

A number of NACs 3 are shown in Figure 2. As 
has been discussed, the primary purpose of the 
system is to carry data pertaining to financial trans- 
actions bidirectional!-/ from terminals A (not shown 

20 in Figure 2) through NACs 3 to financial institutions 
10 (also not shown in Figure 2). Figure 2 does not 
depict this role of the NACs 3, but rather depicts 
the paths by means of which NACs 3 are con- 
trolled and interrogated. Of the plurality of pro- 

25 cesses shown in NMSs 14, processes 26 (26a 
through 26d) are instances of a process called the 
Administrative Traffic Switch (ATS) process, the 
function of which is pass control messages to 
NACs and to receive status and alarm information 

30 from NACs. 

Working closely with ATS processes 26 are 
Network Status Monitor (NSM) processes 28, hav- 
ing an instance in each NMS. NSM 28 maintains a 
running record of the status of all the NACs (and all 

35 the data paths to terminals 4 effectuated by those 
NACs) within the administrative purview of a par- 
ticular NMS. 

Other processes anywhere in the system may 
wish to interrogate an instance of NSM 28 to deter- 

40 mine the status of a system component or path, or 
to have an instance of ATS 26 forward an admin- 
istrative command to a NAC. As Figure 2 shows, 
every WS and NMS has resident an instance of the 
Inter-Process Message Service (IPMS) 24. Pro- 

45 cesses, regardless of whether resident in the same 
WS or NMS, do not communicate with each other 
directly, but through the IPMS. 

Two system rules are adopted to make im- 
plementation easier, and are not inherent or essen- 

50 tial: It is a system rule that processes in different 
workstations may not communicate with each oth- 
er. It is also a system rule that any interprocess 
communication, only one NMS-to-NMS transmis- 
sion is permitted. (In order to facilitate this, each 

55 NMS has a link 20 to every other NMS. This 
simplifies the detection of messages routed in a 
loop, and it minimizes transmission overhead. Nei- 
ther is essential to the scheme as well-known al- 
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gorithms exist for loop detection and transmission 
overheads are commonly traded against cost.) 

An operator at a WS 22 must "log on" to the 
system before he is permitted to invoke any ac- 
tions or access any data. At a keyboard (not 
shown) or similar device associated with a WS, he 
enters a logon request comprising at least a user 
ID (perhaps his name or a derivative thereof) and a 
password, and which may further comprise an ac- 
count number, used for administrative division of 
various tasks the operator may perform. His logon 
request is passed over a communication link 20 to 
the IPMS process in the NMS with which the WS is 
associated, seen in Figure 3 to be assumed to be 
NMS 14a. At this point the IPMS process has no 
cognizance of communicating with any particular 
human operator, but only that it is receiving com- 
munications over a particular connection. 
^ IPMS 24a invokes the Security Services pro- 
cess SS 28a, which accesses a file on storage 
medium 30a and retrieves, for the user ID provided 
by the operator, a prestored password and com- 
pares the prestored password with the password 
provided by the operator; in the event of noncom- 
parison, the connection is not accorded a "logged 
on" status. If there is a comparison, the connection 
is considered "logged on", and remains so until the 
connection requests logoff, or until NMS 14a logs it 
off as a result of not receiving anything over it for a 
predetermined period of time, as will be discussed 
further below; while the connection is logged on, 
the operator may enter requests for system ser- 
vices. While he is logged on, SS 28a associates his 
password, user ID, account ID, and corporate affili- 
ation as retrieved from the file on storage medium 
30a with his connection. 

^ Since WSs may be located anywhere and con- 
,ted to NMSs via communications links 20, it is 
important that the files on storage medium 30a are 
located at the NMS (a "trusted facility", presum- 
ably with very strict access procedures) and that 
the verification is performed there; the possibility of 
tampering with the files or the logon process is 
greatly reduced. There remains the possibility that 
an unauthorized person learns an authorized oper- 
ator's password and provides it in a logon request 
from a WS; this can be obviated by well-known 
procedures regarding passwords (not using as 
passwords words that have an association with the 
operator, changing passwords periodically, etc.). 

It is seen in Figure 3 that when a logged-on 
operator at a WS 22b enters at his keyboard (not 
shown) a request which cannot be resolved within 
that WS (i.e., which must be passed to another 
component of the system), a message 100 contain- 
ing the request is passed over a communication 
link 20 to the IPMS process of the NMS to which 
that WS is connected, here assumed to be IPMS 


24a in NMS 14a. IPMS 24a receives the message 
and appends the user ID, account ID, and cor- 
porate affiliation associated with the operator's con- 
nection; IPMS 24a determines (by means not ger- 
s mane to an understanding of the present invention) 
what process must be invoked to fulfill the oper- 
ator's request, and whether that process is located 
in NMS 14a or in some other NMS (of which only 
NMS 14b is shown on Figure 3). IPMS 24a will 

w accordingly forward a message 101 either directly 
to process 32a, or over a communication link 20 to 
IPMS 24b in NMS 14b, which in turn forwards it to 
a process 32b; in either case, the message in- 
cludes not only the operator's request, but also his 

r5 user ID, account ID, and corporate affiliation. The 
process 32a or 32b invoked to fulfill his request not 
only may presume that the request originated from 
a validly logged-on operator (because of the ver- 
ification performed at a "trusted system", as de- 

20 scribed), but may further perform checks as to 
whether the service or data access requested is 
appropriate to an operator having the particular 
attributes included in the request message. 

If a logged-on operator leaves his WS, and if 

25 an unauthorized person enters requests at it, NMS 
' 14a has no way of determining that these requests 
are not originating from the authorized operator. 
Primary responsibility for such situations must rest 
with the entities that control access to the WSs and 

30 with the authorized operators (who have the option 
of logging off before leaving their WSs), but a 
feature of the present invention lessens the pos- 
sibility for such unauthorized entry of requests. 
IPMSs 14 note the times at which messages are 

35 received from logged-on WSs, and periodically de- 
termine if there are any such WSs from which no 
messages have been received in a first predeter- 
mined time; messages are sent to such WSs in- 
forming them that if no messages are received 

40 from them in a second predetermined time, they 
will be logged off. If nothing is received from such 
a WS before the expiration of the second predeter- 
mined time, it is in fact logged off. When the 
authorized operator returns to it, he can log on 

45 again; but an unauthorized person (who presum- 
ably does not know a valid password) approaching 
the WS is unable to enter any requests. 

Those skilled in the art will perceive applica- 
tions of the invention in embodiments other than 

so the one described here. The invention is intended 
to be embraced by the appended claims and not 
limited by the foregoing embodiment. 

Claims 

55 

1. in a distributed digital data network comprising 
a plurality of interconnected control nodes with 
one of more workstations connected to each 
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control node, the control nodes being respon- 
sive to requests entered at the workstations by 
operators, each of whom has logged on to the 
network by identifying himself and providing a 
password matching a password prestored for 5 
him, the control nodes being located in 
controlled-access trusted facilities and the 
workstations being located in untrusted facili- 
ties, a method of enhancing network security 
comprising the steps of: to 

entering and storing a prestored password 
for an operator at a trusted facility; and 

forwarding from a workstation to a control 
node at a trusted facility a password provided 
by an operator attempting to log on and per- 75 
forming comparison with a password prestored 
for that operator within the control node at the 
trusted facility. 

The method recited in claim 1 wherein further 20 
each control node is controlled by software 
organized as a plurality of processes, and a 
first certain process in each control node re- 
ceives requests from workstations and for- 
wards requests to second processes for dis- 25 
position 

and wherein the method further includes the 
steps of 

storing with each operators prestored 
password his account number, his user iden- 30 
tification, and his corporate affiliation; 

retrieving each operators password, user 
account number, user identification, and cor- 
porate affiliation responsive to the first certain 
process upon its receipt of a request from an 35 
operator; 

forwarding to the second process the user 
account number, user identification, and cor- 
porate affiliation along with a request from an 
operator; and 40 

verifying in the second process that the 
action requested is appropriate to the user 
account number, user identification, and cor- 
porate affiliation. 

45 

In a distributed digital data network comprising 
a plurality of interconnected control nodes with 
one of more workstations connected to each 
control node, the control nodes being respon- 
sive to requests entered at the workstations by so 
operators, each of whom has logged on to the 
network by identifying himself and providing a 
password matching a password prestored for 
him, the control nodes being located in 
controlled-access trusted facilities and the ss 
workstations being located in untrusted facili- 
ties, 

each control node is controlled by software 


organized as a plurality of processes, and a 
first certain process in each control node re- 
ceives requests from workstations and for- 
wards requests to second processes for dis- 
position. 

a method of enhancing network security 
comprising the steps of: 

entering and storing a prestored password 
for an operator at a trusted facility; 

forwarding from a workstation to a control 
node at a trusted facility a password provided 
by an operator attempting to log on and per- 
forming comparison with a password prestored 
for that operator within the control node at the 
trusted facility; 

storing with each operators prestored 
password his account number, his user iden- 
tification, and his corporate affiliation; 

retrieving each operators password, user 
account number, user identification, and cor- 
porate affiliation responsive to the first certain 
process upon its receipt of a request from an 
operator; 

forwarding to the second process the user 
account number, user identification, and cor- 
porate affiliation along with a request from an 
operator; and 

verifying in the second process that the 
action requested is appropriate to the user 
account number, user identification, and cor- 
porate affiliation. 

4. The method recited in claim 1 , wherein further: 

each control node notes times at which 
requests are received from each workstations 
connected to it, and each control node logs off 
operators at workstations from which no re- 
quests are received for a predetermined period 
of time. 

5. The method recited in claim 2, wherein further: 

each control node notes times at which 
requests are received from each workstations 
connected to it, and each control node logs off 
operators at workstations from which no re- 
quests are received for a predetermined period 
of time. 

6. The method recited in claim 3, wherein further: 

each control node notes times at which 
requests are received from each workstations 
connected to it, and each control node logs off 
operators at workstations from which no re- 
quests are received for a predetermined period 
of time. 
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